The Global Environment for Network Innovations (GENI) is an experimental suite of infrastructure designed to support Network Science and Engineering experiments ranging from new research in network and distributed system design to the theoretical underpinnings of network science, network policy and economics, societal values, and the dynamic interactions of the physical and social spheres with communications networks. Such research holds great promise for new knowledge about the structure, behavior, and dynamics of our most complex systems-- networks of networks -- with potentially huge social and economic impact.

Researchers will be able to build their own new versions of the "net" or to study the "net" in ways that are not possible today. Compatibility with the Internet is NOT required. The purpose of GENI is to give researchers the opportunity to experiment unfettered by assumptions or requirements and to support those experiments at a large scale with real user populations.

NDSS ’09 will focus on practical aspects of network and distributed system security, with emphasis on actual system design and implementation rather than theory. A major goal of the Symposium is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technology. The following presentations are planned.

Keynote Address: Penetration Testing for Grown Ups

Ivan Arce, CTO and Co-Founder of Core Security Technologies
Penetration testing is over 30 years old yet for the most part of its history has been deemed a costly, obscure and narrowly focused security practice delivered as craftsmanship of limited value by very technically skilled security teams. The appearance in the early 2000s of commercial penetration testing software, open source tools and more formalized methodologies signaled the trend towards industrialization and more widespread adoption of the practice.

This growing adoption of penetration testing software and methodologies and their underlying philosophy imply a shift in the way of doing and thinking about security at the operational and tactical levels. To transcend the perception of being simply a "badness-o-meter" and leap to the more respectable status of key component of one's overall security strategy numerous technical, scientific and epistemological dilemmas must be addressed and, hopefully, solved.

In this talk I will go over the past decade's evolution of penetration testing, the current challenges and opportunities and the open and unexplored territory that grown up security practitioners will face in the next decade.

Invited Talk: Secure Programming with Static Analysis

Brian Chess, Chief Scientist, Fortify Software
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives programmers the ability to review their work with a fine tooth comb and uncover many of the kinds of errors that lead directly to vulnerabilities. This talk will frame the software security problem and show how static analysis is part of the solution. We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.

Paper Presentations

Prateek Saxena and Dawn Song, University of California Berkeley; Yacin Nadji, Illinois Institute of Technology
Cross-site scripting is the most dominant category of vulnerabilities, with over 17,000 attacks documented in 2007 alone. Web markup and client-side languages provide no principled mechanisms to ensure secure, ground-up isolation of user-generated data in web applications. We propose a mechanism to isolate user-generated data in web applications, to ensure structural integrity of trusted web application code, from its point of generation on the web server to its rendering on the browser. Our preliminary evaluation on more than 5,000 real-world vulnerable websites reveals that enforcement of a single policy using our mechanism defeats over 98% of the attacks we study.

R Sekar, Stony Brook University
Taint-tracking has emerged as one of the most promising techniques for defeating a wide range of exploits such as SQL injection, command injection, and cross-site scripting. Unfortunately, it requires intrusive, fine-grained instrumentation of applications that exacts heavy performance overheads, and can impact application robustness. In contrast, we present taint-inference, a new technique that infers taint from an observation of inputs and outputs of a web application. We show that it can accurately detect the above-mentioned attacks across a range of web applications written in multiple programming languages, while imposing runtime overheads below 5%.

Matthew Van Gundy and Hao Chen, University of California Davis
Cross-Site Scripting (XSS) is among the most common, serious web application vulnerabilities. Eliminating XSS is challenging because it is difficult for web applications to sanitize all user inputs appropriately. Our solution, Noncespaces, neutralizes XSS exploits by using randomization and XML namespaces in a novel way. After the web application randomizes the namespace prefixes of trusted content, clients can identify all untrusted content reliably. We demonstrate how to apply Noncespaces to web applications built using the Model-View-Controller design pattern with minimal modifications.

The Blind Stone Tablet: Outsourcing Durability

Peter Williams and Radu Sion, Stony Brook University; Dennis Shasha, New York University
We introduce a new paradigm for outsourcing the durability property of a transactional database to an untrusted service provider, who supports transaction serialization, backup and recovery for clients, with full confidentiality and correctness. Moreover, providers learn nothing about transactions (except their size and timing), achieving read and write access pattern privacy. Our proof-of-concept implementation of this protocol for the MySQL database management system achieves tens of transactions per second in a two-client scenario with full transaction privacy and guaranteed correctness.

Sherman S.M. Chow, Jie-Han Lee and Lakshminarayanan Subramanian, New York University
We show how to perform various privacy preserving queries over distributed databases under the honest-but-curious model. Our system provides the same level of scalability as a trusted central party based solution while providing privacy without using heavyweight cryptography. The key idea is to develop a Two-Party Query Computation Model comprising of a randomizer and a computing engine which do not reveal any information between themselves. We prove that our system is secure and demonstrate its practicality using a real-world implementation.

SybilInfer: Detecting Sybil Nodes using Social Networks

George Danezis, Microsoft Research; Prateek Mittal, University of Illinois at Urbana-Champaign
SybilInfer is an algorithm for labeling nodes in a social network as honest users or Sybils controlled by an adversary. At the heart of SybilInfer lies a probabilistic model of honest social networks, and an inference engine that returns potential regions of dishonest nodes. The Bayesian inference approach to Sybil detection comes with the advantage label has an assigned probability, indicating its degree of certainty. We prove through analytical results as well as experiments on simulated and real-world network topologies that, given standard constraints on the adversary, SybilInfer is secure, in that it successfully distinguishes between honest and dishonest nodes and is not susceptible to manipulation by the adversary. Furthermore, our results show that SybilInfer outperforms state of the art algorithms, both in being more widely applicable, as well as providing vastly more accurate results.

Spectrogram: A Mixture-of-Markov-Chains Model for Anomaly Detection in Web Traffic

Yingbo Song, Angelos Keromytis and Salvatore Stolfo, Columbia University
We present Spectrogram, a machine learning based sensor for defense against web-layer code-injection attacks. Spectrogram is a network situated sensor that dynamically reassembles packets to reconstruct web requests, allowing it to monitor content flows. Unlike many existing sensors, Spectrogram does not rely on signatures to detect malicious content. Instead, it learns models for legitimate input. We describe an efficient model for this task in the form of mixtures of Markov chains and derive the corresponding training algorithm.

Detecting Forged TCP Reset Packets

Nicholas Weaver, ICSI; Robin Sommer, ICSI and LBNL; Vern Paxson, University of California Berkeley and ICSI
Many network management tools, including censorship, traffic management, and IDS systems, terminate connections by injecting TCP Reset (RST) packets into "undesired" flows. We developed an efficient network detector for these injected packets based on race conditions and then a set of fingerprints which allow us to identify many of the devices as well as various benign sources. We were able to detect P2P disruptions, dynamic spam and malcode blocking, and Chinese censorship.

Coordinated Scan Detection

Carrie Gates, CA Labs
Coordinated attacks distribute the tasks involved in an attack amongst multiple sources. We present a detection algorithm that is based on an adversary model of desired information gain and employs heuristics similar to those for solving the set covering problem. A detector is developed and tested against coordinated horizontal and strobe scanning activity. Experimental results demonstrate an acceptably low false positive rate, and we discuss the conditions required to maximize the detection rate.

RB-Seeker: Auto-detection of Redirection Botnets

Xin Hu, Matt Knysz and Kang G. Shin, University of Michigan AnnArbor
This paper presents the design, implementation and evaluation of Redirection Bot Seeker (RB-Seeker) for automatic detection of redirection botnets. As a misdirection mechanism for evading detection, RBs are used in tandem with other criminal scams e.g., spam/phishing to misdirect victims to the actual host of nefarious contents. RB-seeker makes uses of comprehensive and abundant data sources (i.e., netflow, DNS-logs, spams) and develops a 2-tier detection strategy utilizing hyperplane decision functions to achieve better detection capability of both aggressive and stealthy RBs with low a false positive rate.

Scalable, Behavior-Based Malware Clustering

Ulrich Bayer, Paolo Milani Comparetti and Clemens Hlauschek, Technical University Vienna; Christopher Kruegel,University of California Santa Barbara; Engin Kirda, Institute Eurecom
Anti-malware companies receive thousands of malware samples every day. Many of these samples are in fact variations (or even automatic mutations) of previously known malware. We propose an algorithm for clustering malware samples based on an accurate characterization of their behavior that is capable of scaling up to the size of real-world malware databases. We present results on datasets of up to 75000 malware samples, and show that our approach achieves better precision than previous techniques.

K-Tracer: A System for Extracting Kernel Malware Behavior

Andrea Lanzi, Monirul Sharif and Wenke Lee, Georgia Institute of Technology
Kernel rootkits provide user level-malware programs with additional capabilities of hiding their malicious activities by altering the legitimate kernel behavior of the operating system. In this paper, we present an approach that enables automatic discovery of the system data manipulation behaviors of rootkits. We have performed experiments on several kernel malware samples and shown that our system can successfully extract all malicious data manipulation behaviors from them. We also discuss the limitations of our current system on newer rootkit strategies.

RAINBOW: A Robust and Invisible Non-Blind Watermark for Network Flows

Amir Houmansadr, Negar Kiyavash and Nikita Borisov, University of Illinois at Urbana-Champaign
Linking network flows is an important problem in intrusion detection as well as anonymity. Passive traffic analysis can link flows but requires long periods of observation to reduce errors. We propose a new, non-blind watermarking scheme called RAINBOW, inheriting features from passive schemes and blind watermarking schemes. RAINBOW provides practically negligible false errors using tiny valued watermarks on small number of packets. RAINBOW does so while providing high degrees of invisibility and also robustness to flow modifications.

Charles Wright, MIT Lincoln Laboratory; Scott Coull, Johns Hopkins University; Fabian Monrose, University of North Carolina
In this paper, we propose a novel method of thwarting statistical traffic analysis by optimally morphing one class of traffic to look like another class with respect to a given set of features. Through the use of mathematical optimization techniques, we are able to optimally change these features in real-time to significantly reduce the accuracy of the classifier while incurring far less overhead than padding. We demonstrate this technique against two recent traffic classifiers from the literature: one for VoIP and one for web traffic.

Recursive DNS Architectures and Vulnerability Implications

David Dagon, Manos Antonakakis, Xiapu Luo, Christopher P. Lee and Wenke Lee, Georgia Institute of Technology; Kevin Day, kevinday.com
We explore how different DNS resolver architectures affect the risk of DNS poisoning. To measure the threat found in existing and recent DNS attacks, we create a comprehensive DNS poisoning model, and demonstrate its sensitivity compared to previous work. We further catalog major architectural choices DNS implementers can make in query management. We note real-world instances where these choices have weakened the security of resolvers. Our study points to the need for secure DNS replacements.

Hong Chen, Ninghui Li and Ziqing Mao, Purdue University
Recently, several Mandatory Access Control protection systems, e.g., SELinux and AppArmor, have been proposed to enhance the security of operating systems. We propose an approach to analyze and compare the quality of protection of these protection systems. We introduce the notion of vulnerability surfaces under attack scenarios as the measurement of protection quality, and implement a tool for computing the vulnerability surfaces. We use our tool to analyze and compare SELinux and AppArmor in several Linux distributions.

Tielei Wang, Tao Wei and Wei Zou, Peking University; Zhiqiang Lin, Purdue University
We present a system, IntScope, which can automatically detect integer overflow vulnerabilities in x86 binaries. IntScope simulates program execution, tracks the propagation of taint data, and identifies the vulnerabilities caused by the misuse of overflowed values. IntScope is scalable to large software as it can just symbolically execute the interesting program paths. Experimental results show that IntScope is highly effective and practical. IntScope has detected more than 20 zero-day integer overflow vulnerabilities in several popular software packages including QEMU, Xen and Xine.

Safe Passage for Passwords and Other Sensitive Data

Jonathan McCune and Adrian Perrig, Carnegie Mellon University; Michael Reiter, University of North Carolina
The prevalence of malware such as keyloggers and screen scrapers has made the prospect of providing sensitive information via web pages disconcerting. We present a system that totally circumvents the legacy input path, thereby excluding the operating system and the entire software stack running thereupon from the TCB for sensitive input, without a VMM. We allow the user to specify strings of input as sensitive, and ensure that these inputs reach the legacy platform already in a protected state.

Conditioned-safe Ceremonies and a User Study of an Application to Web Authentication

Chris Karlof, J.D. Tygar and David Wagner, University of California Berkeley
We introduce the notion of conditioned-safe ceremonies for humans. A ceremony is similar to the conventional notion of a network protocol, except that a ceremony explicitly includes human participants as nodes in the network. We argue that designers should build ceremonies such that human tendencies reinforce security rather than undermine it, as with many current ceremonies, such as password authentication. We propose several design principles towards building conditioned-safe ceremonies and apply these principles to develop a registration ceremony for machine authentication based on email. We evaluated our email registration ceremony with a user study of 200 participants, and we present the results.

CSAR: A Practical and Provable Technique to Make Randomized Systems Accountable

Michael Backes, Saarland University and MPI-SWS; Peter Druschel, MPI-SWS; Andreas Haeberlen, MPI-SWS and Rice University; Dominique Unruh, Saarland University
We describe CSAR, a novel technique for generating cryptographically strong, accountable randomness. Using CSAR, we can generate a pseudo-random sequence and a proof that the elements of this sequence up to a given point have been correctly generated, while future values in the sequence remain unpredictable. CSAR enables accountability for distributed systems that use randomized protocols. External auditors can check if a node has deviated from its expected behavior without learning anything about the node's future random choices. In particular, an accountable node does not need to leak secrets that would make its future actions predictable. We demonstrate that CSAR is practical and efficient, and we apply it to implement accountability for a server that uses random sampling for billing purposes.